HPCE/kics-github-action
0
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

feat(v1.2): adding support to kics v1.3.0

Browse Source
This commit is contained in:
Rogério Peixoto
2021-05-10 18:06:05 +01:00
parent fcd230e2a5
commit 559be60ad2
6 changed files with 99 additions and 9 deletions
Download Patch File Download Diff File Expand all files Collapse all files

2
Dockerfile
View File

@ -1,6 +1,6 @@
FROM ubuntu:20.04
RUN apt-get update && \
RUN apt-get update && \
apt-get install -y wget curl
COPY entrypoint.sh /entrypoint.sh

80
README.md
View File

@ -20,7 +20,10 @@ It is as simple as running a CLI tool, making it easy to integrate into any proj
<br>
<img alt="CloudFormation" src="images/logo-cf.png" width="150">&nbsp;&nbsp;&nbsp;
<img alt="Ansible" src="images/logo-ansible.png" width="150">&nbsp;&nbsp;&nbsp;
<img alt="Helm" src="images/logo-helm.png" width="61" height="70">&nbsp;&nbsp;&nbsp;
<img alt="OpenAPI" src="images/logo-openapi.png" width="150">&nbsp;&nbsp;&nbsp;
<br>
<br>
<img alt="Helm" src="images/logo-helm.png" width="150">&nbsp;&nbsp;&nbsp;
### Please find more info in the official website: <a href="https://kics.io">kics.io</a>
@ -29,7 +32,11 @@ It is as simple as running a CLI tool, making it easy to integrate into any proj
| Variable | Example Value &nbsp; | Description &nbsp; | Type | Required | Default |
| ------------------ | --------------------------------------- | ---------------------------------------------------------------- | ------- | -------- | --------------------------------------------- |
| path | terraform | path to file or directory to scan | String | Yes | N/A |
| path | terraform/main.tf,Dockerfile | paths to a file or directories to scan, comma separated list | String | Yes | N/A |
| ignore_on_exit | results | defines which non-zero exit codes should be ignored (all, results, errors, none) | String | No | none |
| fail_on | high,medium | comma separated list of which severities returns exit code !=0 | String | No | high,medium,low,info |
| timeout | 75 | number of seconds the query has to execute before being canceled | String | No | 60 |
| profiling | CPU | turns on profiler that prints resource consumption in the logs during the execution (CPU, MEM) | String | No | N/A |
| config_path | ./kics.config | path to configuration file | String | No | N/A |
| platform_type | terraform,ansible | case insensitive list of platform types to scan | String | No | All platforms |
| exclude_paths | ./shouldNotScan/*,somefile.txt | exclude paths from scan, supports glob, comma separated list | String | No | N/A |
@ -38,7 +45,7 @@ It is as simple as running a CLI tool, making it easy to integrate into any proj
| exclude_results | 'd4a1fa80-d9d8-450f-87c2-e1f6669c41f8' | exclude results by providing the similarity ID of a result | String | No | N/A |
| output_formats | 'json,sarif' | formats in which the results report will be exported | String | No | json |
| output_path | results.json | file path to store result in json format | String | No | N/A |
| payload_path | | file path to store source internal representation in JSON format | String | No | N/A |
| payload_path | /tmp/mypayload.json | file path to store source internal representation in JSON format | String | No | N/A |
| queries | | path to directory with queries (default "./assets/queries") | String | No | ./assets/queries downloaded with the binaries |
| verbose | true | verbose scan | Boolean | No | false |
@ -51,9 +58,10 @@ It is as simple as running a CLI tool, making it easy to integrate into any proj
- uses: actions/checkout@v2
# Scan Iac with kics
- name: run kics Scan
uses: checkmarx/kics-action@v1.0
uses: checkmarx/kics-action@v1.2
with:
path: 'terraform'
# scanning two directories: ./terraform/ ./cfn-templates/ plus a single file
path: 'terraform,cfn-templates,my-other-sub-folder/Dockerfile'
output_path: 'results.json'
# Display the results in json format
- name: display kics results
@ -61,6 +69,67 @@ It is as simple as running a CLI tool, making it easy to integrate into any proj
cat results.json
```
## Workflow failures
By default KICS will fail your workflow on any results found.
### Fail by severity usage example
If want your pipeline just to fail on HIGH and MEDIUM severity results and KICS engine execution errors:
```yaml
steps:
- uses: actions/checkout@v2
- name: run kics Scan
uses: checkmarx/kics-action@v1.2
with:
path: 'terraform,my-other-sub-folder/Dockerfile'
fail_on: high,medium
output_path: 'results.json'
- name: display kics results
run: |
cat results.json
```
### Don't fail on results
If you want KICS to ignore the results and return exit status code 0 unless a KICS engine error happens:
```yaml
steps:
- uses: actions/checkout@v2
- name: run kics Scan
uses: checkmarx/kics-action@v1.2
with:
path: 'terraform'
ignore_on_exit: results
output_path: 'results.json'
- name: display kics results
run: |
cat results.json
```
## Profiling KICS
You can only enable one profiler at a time, CPU or MEM.
> 📝 &nbsp; Please note that execution time may be impacted by enabling performance profiler due to sampling
```yaml
steps:
- uses: actions/checkout@v2
- name: run kics Scan
uses: checkmarx/kics-action@v1.2
with:
path: 'terraform'
profiling: MEM
output_path: 'results.json'
- name: display kics results
run: |
cat results.json
```
## Example using docker-runner and SARIF report
checkmarx/kics-action@docker-runner branch runs an alpine based linux container (`checkmarx/kics:nightly-alpine`) that doesn't require downloading kics binaries and queries in the `entrypoint.sh`
@ -106,6 +175,7 @@ jobs:
with:
sarif_file: results-dir/results.sarif
```
## Example using docker-runner and a config file
Check [configuration file](https://github.com/Checkmarx/kics/blob/master/docs/configuration-file.md) reference for more options.

18
action.yml
View File

@ -3,8 +3,20 @@ name: 'KICS Github Action'
description: 'Run KICS scan against IaC projects'
inputs:
path:
description: 'path to file or directory to scan'
description: 'paths to a file or directories to scan, accepts a comma separated list'
required: true
ignore_on_exit:
description: 'defines which non-zero exit codes should be ignored (all, results, errors, none)'
required: false
fail_on:
description: 'comma separated list of which severities returns exit code !=0'
required: false
timeout:
description: 'number of seconds the query has to execute before being canceled'
required: false
profiling:
description: 'turns on profiler that prints resource consumption in the logs during the execution (CPU, MEM)'
required: false
config_path:
description: 'path to configuration file'
required: false
@ -48,6 +60,10 @@ runs:
image: 'Dockerfile'
args:
- ${{ inputs.path }}
- ${{ inputs.ignore_on_exit }}
- ${{ inputs.fail_on }}
- ${{ inputs.timeout }}
- ${{ inputs.profiling }}
- ${{ inputs.config }}
- ${{ inputs.platform_type }}
- ${{ inputs.exclude_paths }}

8
entrypoint.sh
View File

@ -18,6 +18,10 @@ fi
[[ ! -z "$INPUT_EXCLUDE_CATEGORIES" ]] && EXCLUDE_CATEGORIES_PARAM="--exclude-categories $INPUT_EXCLUDE_CATEGORIES"
[[ ! -z "$INPUT_OUTPUT_FORMATS" ]] && OUTPUT_FORMATS_PARAM="--report-formats $INPUT_OUTPUT_FORMATS"
[[ ! -z "$INPUT_PLATFORM_TYPE" ]] && PLATFORM_TYPE_PARAM="--type $INPUT_PLATFORM_TYPE"
[[ ! -z "$INPUT_IGNORE_ON_EXIT" ]] && IGNORE_ON_EXIT_PARAM="--ignore_on_exit $INPUT_IGNORE_ON_EXIT"
[[ ! -z "$INPUT_FAIL_ON" ]] && FAIL_ON_PARAM="--fail_on $INPUT_FAIL_ON"
[[ ! -z "$INPUT_TIMEOUT" ]] && TIMEOUT_PARAM="--timeout $INPUT_TIMEOUT"
[[ ! -z "$INPUT_PROFILING" ]] && PROFILING_PARAM="--profiling $INPUT_PROFILING"
[[ ! -z "$INPUT_VERBOSE" ]] && VERBOSE_PARAM="-v"
@ -38,5 +42,5 @@ wget -q -c "https://github.com/Checkmarx/kics/releases/download/${tag}/kics_${ve
echo "${DATETIME} - INF : current directory - ${PWD}"
echo "${DATETIME} - INF : about to scan directory $INPUT_PATH"
echo "${DATETIME} - INF : kics command kics $INPUT_PARAM $OUTPUT_PATH_PARAM $OUTPUT_FORMATS_PARAM $PLATFORM_TYPE_PARAM $PAYLOAD_PATH_PARAM $CONFIG_PATH_PARAM $EXCLUDE_PATHS_PARAM $EXCLUDE_CATEGORIES_PARAM $EXCLUDE_RESULTS_PARAM $EXCLUDE_QUERIES_PARAM $QUERIES_PARAM $VERBOSE_PARAM"
kics scan --no-progress $INPUT_PARAM $OUTPUT_PATH_PARAM $OUTPUT_FORMATS_PARAM $PLATFORM_TYPE_PARAM $PAYLOAD_PATH_PARAM $CONFIG_PATH_PARAM $EXCLUDE_PATHS_PARAM $EXCLUDE_CATEGORIES_PARAM $EXCLUDE_RESULTS_PARAM $EXCLUDE_QUERIES_PARAM $QUERIES_PARAM $VERBOSE_PARAM
echo "${DATETIME} - INF : kics command kics $INPUT_PARAM $OUTPUT_PATH_PARAM $OUTPUT_FORMATS_PARAM $PLATFORM_TYPE_PARAM $PAYLOAD_PATH_PARAM $CONFIG_PATH_PARAM $EXCLUDE_PATHS_PARAM $EXCLUDE_CATEGORIES_PARAM $EXCLUDE_RESULTS_PARAM $EXCLUDE_QUERIES_PARAM $QUERIES_PARAM $VERBOSE_PARAM $IGNORE_ON_EXIT_PARAM $FAIL_ON_PARAM $TIMEOUT_PARAM $PROFILING_PARAM"
kics scan --no-progress $INPUT_PARAM $OUTPUT_PATH_PARAM $OUTPUT_FORMATS_PARAM $PLATFORM_TYPE_PARAM $PAYLOAD_PATH_PARAM $CONFIG_PATH_PARAM $EXCLUDE_PATHS_PARAM $EXCLUDE_CATEGORIES_PARAM $EXCLUDE_RESULTS_PARAM $EXCLUDE_QUERIES_PARAM $QUERIES_PARAM $VERBOSE_PARAM $IGNORE_ON_EXIT_PARAM $FAIL_ON_PARAM $TIMEOUT_PARAM $PROFILING_PARAM

BIN
images/logo-helm.png
View File

Binary file not shown.
Side by Side Swipe Overlay

Before

Width:  |  Height:  |  Size: 8.8 KiB

After

Width:  |  Height:  |  Size: 28 KiB

BIN
images/logo-openapi.png Executable file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 35 KiB